The number of connected devices on enterprise networks is growing faster than most security teams can track. With IoT Analytics reporting 21.1 billion connected IoT devices globally in 2025 -- and projections exceeding 25 billion by 2026 -- the attack surface is expanding at a pace that traditional endpoint security was never designed to handle. Most of these devices cannot run security agents. They ship with default credentials, receive infrequent firmware updates, and operate on proprietary systems that resist modification. The result is an environment where attackers find easy entry points and defenders struggle for visibility. This guide covers what IoT security is, the threats that matter most in 2026, recent breaches that expose real-world consequences, and the layered practices that organizations need to protect connected devices across the modern network.
IoT security is the set of practices, technologies, and policies that protect Internet of Things devices and the networks they connect to from cyber threats. It covers device hardening, network monitoring, data encryption, and access control for connected devices -- sensors, cameras, medical equipment, industrial controllers, and smart appliances -- that often lack the computing resources to run traditional security software. Because these devices collect, transmit, and act on data across enterprise and industrial environments, a compromise can cascade well beyond the device itself.
The scale of the challenge continues to grow. According to IoT Analytics, connected IoT devices reached 21.1 billion globally in 2025, growing 14% year over year. The IoT security market reflects this urgency, with estimates ranging from $8 billion to $45 billion in 2026, depending on how IoT security is defined (source: comparecheapssl aggregation, 2026).
IoT security rests on three pillars: device security, network security, and cloud/data security. Each layer addresses a different segment of the attack surface, but the network layer carries outsized importance because it is the only layer that provides visibility into devices that cannot host their own defenses.
IoT devices present a uniquely difficult security challenge for five reasons:
These vulnerabilities explain why botnet operators and nation-state actors increasingly target IoT devices as their initial foothold into enterprise networks.
IoT security operates across three architectural layers, each addressing a different portion of the attack surface. Understanding how these layers interact -- and where the gaps remain -- is essential for building a defensible IoT environment.
Device layer. Security begins at the device itself through hardened firmware, secure boot processes, credential management, and encryption of data at rest. Manufacturers who follow standards like NIST SP 800-213 build security into devices from the design phase. However, many IoT devices ship without these protections, and organizations cannot retrofit them after deployment.
Network layer. Network segmentation (VLANs, microsegmentation) isolates IoT devices so that a compromise in one segment cannot spread freely. Traffic monitoring and anomaly detection via network detection and response solutions identify suspicious behavior in real time. This layer is the primary control for agentless environments.
Cloud and application layer. API security, access control, and data encryption in transit (TLS 1.2 or higher) protect the cloud services that IoT devices communicate with. Cloud security posture management ensures that misconfigurations -- like the one behind the Mars Hydro breach -- do not expose billions of records.
Alt text for architecture diagram: Three-layer IoT security architecture showing device hardening at the bottom, network monitoring via NDR in the middle, and cloud access controls at the top, with labeled detection points at each layer.
Since the majority of IoT devices cannot run endpoint agents, network traffic analysis becomes the primary method for identifying compromised devices. According to industry research, 80% of IoT breaches start at the device level (2025, deepstrike.io), yet defenders must detect these compromises from the network -- the only vantage point available.
Network detection and response monitors both east-west (internal) and north-south (external) IoT traffic flows to detect anomalous behavior: command and control callbacks, lateral movement, and data exfiltration attempts. Behavioral analytics baseline each device's normal communication patterns -- an IP camera should communicate with its NVR, not with an external IP in an unfamiliar geography -- and flag deviations automatically.
This agentless approach provides equal visibility into managed and unmanaged devices, closing the gap that endpoint-only strategies leave wide open.
Building a resilient IoT security architecture requires four capabilities working together:
IoT threats in 2026 range from 20+ Tbps botnets and supply chain malware to AI-powered reconnaissance and state-sponsored campaigns targeting critical infrastructure. The table below maps the most prevalent threats to MITRE ATT&CK techniques observed in IoT attacks.
Table: MITRE ATT&CK techniques most commonly observed in IoT attacks (2024--2026)
Botnet recruitment and DDoS. The Aisuru/TurboMirai botnet achieved 20+ Tbps DDoS capability in 2025--2026, representing a 700% year-over-year growth in attack potential. Microsoft Azure blocked a record 15.72 Tbps DDoS attack linked to IoT botnets in early 2026.
Supply chain compromise. BadBox 2.0 compromised more than 10 million smart TVs, projectors, and infotainment systems with pre-installed malware in 2025, making it the largest known TV botnet (source: Asimily).
Ransomware targeting OT and IoT. Ransomware attacks against OT systems surged 46% in 2025, according to Nozomi Networks, increasingly using compromised IoT devices as the initial entry point.
Data exposure. The Mars Hydro misconfiguration exposed 2.7 billion IoT device records in 2025, demonstrating that cloud-side IoT security failures can be just as devastating as device-level compromises.
Across all categories, Bitdefender and Netgear detected 13.6 billion IoT attacks between January and October 2025 alone.
Recent IoT breaches demonstrate that supply chain attacks, botnets, and misconfigurations pose existential risk to unprepared organizations. The five cases below -- all from 2024--2026 -- illustrate the scale and variety of real-world IoT security failures.
The financial consequences of IoT cyberattacks are substantial and growing:
These figures underscore why IoT security is no longer optional. A single data breach from an unmonitored IoT device can cost more than years of preventive investment.
IoT and OT security share overlapping challenges but differ in priorities, device characteristics, and detection methods. Understanding these differences -- and where the domains converge -- is essential as organizations manage increasingly interconnected environments.
Table: Key differences between IoT, OT, and IIoT security
Industrial IoT (IIoT) bridges both worlds, deploying connected sensors and controllers in manufacturing and critical infrastructure settings where both data integrity and physical safety are at stake.
A landmark regulatory development arrived on December 11, 2025, when CISA released CPG 2.0, unifying IT, IoT, and OT security goals under six functions: Govern, Identify, Protect, Detect, Respond, and Recover. This is the first framework to formally bridge all three domains, reflecting the convergence that security teams have been managing operationally for years.
Organizations need integrated threat detection and compliance capabilities that span IoT, OT, and IT -- not siloed tools that create blind spots at the boundaries.
Effective IoT defense requires eight layered practices, from device inventory through zero trust, with network-based monitoring bridging the agentless security gap.
Organizations should also integrate intrusion detection and prevention systems and vulnerability management programs into their IoT security strategy to ensure continuous posture assessment.
Adapting zero trust principles for IoT requires addressing a fundamental tension: many IoT devices cannot support standard zero trust components like multi-factor authentication or client certificates.
Practical solutions include:
The Cloud Security Alliance's Zero Trust Guidance for IoT provides a reference framework for organizations working through this adaptation.
The IoT regulatory landscape is tightening rapidly, with EU CRA reporting obligations arriving in September 2026 and CISA CPG 2.0 already unifying IT, IoT, and OT security goals.
Table: IoT security regulatory landscape as of early 2026
Organizations selling connected products in the EU should begin preparing now. The CRA reporting obligations that take effect September 2026 require manufacturers to report actively exploited vulnerabilities within 24 hours -- a significant operational commitment.
AI-driven network detection, market consolidation, and IT/IoT/OT signal correlation define the future of IoT security for modern enterprises.
AI-powered threat detection is reshaping how organizations protect IoT environments. Machine learning models trained on IoT traffic patterns can identify compromised devices faster than rule-based systems, and generative AI is beginning to automate intrusion response pipelines. By 2026, effective threat detection must ingest data from OT, IoT, and edge domains and correlate it with IT signals for unified visibility.
Market consolidation reflects the strategic importance of IoT security. ServiceNow's $7.75 billion acquisition of Armis in 2025 was the headline deal in a year when cybersecurity M&A exceeded $84 billion overall. Mitsubishi Electric's acquisition of Nozomi Networks (~$883 million) further signals that OT/IoT security has become a boardroom priority.
The network-centric approach is gaining traction as the primary IoT security control. Organizations are investing in behavioral threat detection and threat hunting capabilities that work across managed and unmanaged device populations, treating the network as the universal sensor.
Vectra AI approaches IoT security through the lens of network-based detection and Attack Signal Intelligence. Because IoT devices cannot run endpoint agents, the network becomes the primary source of truth for identifying compromised devices. Vectra AI's philosophy of assuming compromise -- that smart attackers will get in, and finding them quickly is what matters -- applies directly to IoT environments, where the expanding attack surface of unmanaged devices demands unified visibility.
This means correlating signals across on-premises, cloud, identity, and IoT/OT environments to surface real attacks, not more alerts. When a camera starts communicating with an unfamiliar external host or a sensor begins scanning internal subnets, network detection and response identifies the behavior and prioritizes it for investigation -- regardless of whether that device can run an agent.
The IoT security landscape will continue to shift significantly over the next 12--24 months, driven by regulatory deadlines, evolving attack techniques, and technology convergence.
Regulatory enforcement begins in earnest. The EU Cyber Resilience Act's reporting obligations take effect September 11, 2026, requiring manufacturers to report actively exploited vulnerabilities in connected products within 24 hours. Organizations that sell or deploy IoT devices in the EU should audit their vulnerability disclosure processes now. In the United States, the future of the FCC Cyber Trust Mark program remains uncertain after UL Solutions withdrew as administrator in December 2025, but bipartisan congressional support suggests a replacement will emerge.
AI arms race accelerates. Attackers are using AI for automated vulnerability scanning, adaptive DDoS patterns, and evasion techniques that morph in real time. Defenders are responding with AI-driven behavioral analytics that can baseline millions of IoT devices and detect anomalies at machine speed. The advantage will go to organizations that deploy AI defensively before attackers scale their AI offensively.
IT/IoT/OT convergence becomes operational reality. CISA CPG 2.0 formalized what security teams have known for years: IT, IoT, and OT cannot be secured in isolation. Over the next 12 months, expect to see unified security platforms that correlate signals across all three domains, replacing the fragmented toolsets that create blind spots at domain boundaries. Organizations should prioritize investments in platforms that deliver cross-domain visibility.
Device volumes continue to climb. With IoT device counts projected to surpass 25 billion in 2026, the sheer volume of unmanaged endpoints will overwhelm organizations that rely on manual inventory and one-device-at-a-time security. Automated discovery, classification, and behavioral monitoring will shift from best practice to baseline requirement.
IoT security is no longer a niche concern -- it is a core enterprise requirement. With 21.1 billion connected devices in 2025, threats escalating from 20+ Tbps botnets to supply chain malware affecting millions of devices, and regulatory deadlines approaching, organizations that defer IoT security investment are accepting risk they may not be able to absorb.
The path forward is clear. Build a complete device inventory. Segment IoT devices from critical systems. Deploy network-based detection to cover the devices that cannot protect themselves. Prepare for the EU CRA and CISA CPG 2.0 requirements that are already on the calendar. And adopt a mindset that assumes compromise -- because in an environment with hundreds of thousands of unmanaged devices, finding the attacker quickly matters more than hoping they never get in.
Explore how Vectra AI's approach to network detection and response provides unified visibility across IoT, OT, cloud, and identity environments -- turning the network into the sensor that endpoint agents can never be.
IoT security is the set of practices, technologies, and policies designed to protect Internet of Things devices and the networks they connect to from cyber threats. It encompasses device hardening, network monitoring, data encryption, and access control for connected devices that often lack the computing resources to run traditional security software. With IoT Analytics reporting 21.1 billion connected devices in 2025, IoT security has become a critical enterprise concern. The three pillars of IoT security -- device security, network security, and cloud/data security -- work together to protect devices from initial compromise, detect threats in transit, and secure the data these devices generate. Organizations that neglect any one pillar create gaps that attackers routinely exploit.
The most critical IoT threats in 2026 include botnet recruitment (the Aisuru/TurboMirai botnet achieved 20+ Tbps DDoS capability), supply chain compromise (BadBox 2.0 pre-infected more than 10 million devices), default credential exploitation, firmware vulnerabilities, and lateral movement from IoT to IT networks. Emerging threats include AI-powered automated reconnaissance, state-sponsored campaigns like IOCONTROL targeting critical infrastructure, and next-generation Mirai variants such as Eleven11bot and Kimwolf. The 46% surge in ransomware attacks against OT systems (Nozomi Networks, 2025) also signals growing risk at the IoT/OT boundary.
Start with a complete device inventory to identify every connected device on your network. Then implement network segmentation to isolate IoT devices in dedicated VLANs. Change all default credentials immediately -- the OWASP IoT Top 10 ranks this as the top vulnerability. Deploy network-based monitoring such as NDR to detect threats on devices that cannot run agents. Automate firmware updates to close known vulnerabilities. Encrypt all data in transit with TLS 1.2 or higher. Apply zero trust principles by verifying every device and connection. Finally, plan for full device lifecycle management from procurement through decommissioning, following guidance from NIST SP 800-213 and CISA CPG 2.0.
IoT security focuses on protecting connected devices like cameras, sensors, and smart appliances, typically prioritizing data confidentiality and integrity (the traditional CIA triad). OT security protects industrial control systems -- SCADA, PLCs, and distributed control systems -- where physical safety and availability are paramount, reordering priorities to Availability, Integrity, Confidentiality (AIC). Industrial IoT (IIoT) bridges both domains, deploying connected sensors and controllers in industrial settings. CISA CPG 2.0, released December 11, 2025, unified IT, IoT, and OT security goals for the first time under six functions, reflecting the operational convergence that modern organizations must manage.
IoT devices are vulnerable for five structural reasons. They often ship with default or hardcoded passwords that users never change. They run proprietary or embedded operating systems that cannot host security agents. They receive infrequent firmware updates, with 60% of IoT breaches tracing back to unpatched firmware (2025, deepstrike.io). They have long lifecycles -- sometimes 10 to 25 years -- without planned end-of-support security patches. And they operate in a heterogeneous ecosystem with thousands of manufacturers and inconsistent security standards, making centralized management extremely difficult. These constraints mean that network-level monitoring is often the only viable way to detect when an IoT device has been compromised.
Organizations should monitor six key regulatory frameworks. The EU Cyber Resilience Act has reporting obligations taking effect September 11, 2026, with main obligations following in December 2027. The UK PSTI Act is already enforceable and bans default passwords on consumer IoT. CISA CPG 2.0, released December 2025, provides unified IT/IoT/OT security goals for US critical infrastructure. NIST SP 800-213 offers IoT-specific security controls. IEC 62443 covers industrial automation and control systems. The FCC U.S. Cyber Trust Mark, a voluntary labeling program, is pending a new administrator after UL Solutions withdrew in December 2025.
IoT device management encompasses the processes and tools for provisioning, monitoring, updating, and decommissioning connected devices throughout their entire lifecycle. It includes automated asset discovery to maintain a real-time inventory of every connected device, firmware update management to patch known vulnerabilities, configuration management to enforce security baselines, access control to limit device communications to authorized services, and health monitoring to detect degraded or compromised devices. Effective device management is foundational to IoT security because organizations cannot protect devices they do not know about. NIST and CISA both emphasize device inventory as the first step in any IoT security program, and the eight-step best practices framework outlined above begins with this capability for good reason.